@better-auth/sso 1.4.0-beta.2 → 1.4.0-beta.20

package/src/saml.test.ts

@@ -1,31 +1,31 @@
-import {
-	afterAll,
-	beforeAll,
-	beforeEach,
-	describe,
-	expect,
-	it,
-	vi,
-} from "vitest";
+import { betterFetch } from "@better-fetch/fetch";
 import { betterAuth } from "better-auth";
 import { memoryAdapter } from "better-auth/adapters/memory";
 import { createAuthClient } from "better-auth/client";
-import { betterFetch } from "@better-fetch/fetch";
 import { setCookieToHeader } from "better-auth/cookies";
 import { bearer } from "better-auth/plugins";
-import { sso } from ".";
-import { ssoClient } from "./client";
-import { createServer } from "http";
-import * as saml from "samlify";
+import { getTestInstance } from "better-auth/test";
+import bodyParser from "body-parser";
+import { randomUUID } from "crypto";
 import type {
 	Application as ExpressApp,
 	Request as ExpressRequest,
 	Response as ExpressResponse,
 } from "express";
 import express from "express";
-import bodyParser from "body-parser";
-import { randomUUID } from "crypto";
-import { getTestInstanceMemory } from "better-auth/test";
+import { createServer } from "http";
+import * as saml from "samlify";
+import {
+	afterAll,
+	beforeAll,
+	beforeEach,
+	describe,
+	expect,
+	it,
+	vi,
+} from "vitest";
+import { sso } from ".";
+import { ssoClient } from "./client";
 
 const spMetadata = `
     <md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="http://localhost:3001/api/sso/saml2/sp/metadata">
@@ -242,7 +242,7 @@ const certificate = `
     yyoWAJDUHiAmvFA=
     -----END CERTIFICATE-----
     `;
-const idpEncyptionKey = `
+const idpEncryptionKey = `
     -----BEGIN RSA PRIVATE KEY-----
     Proc-Type: 4,ENCRYPTED
     DEK-Info: DES-EDE3-CBC,860FDB9F3BE14699
@@ -274,7 +274,7 @@ const idpEncyptionKey = `
     ISbutnQPUN5fsaIsgKDIV3T7n6519t6brobcW5bdigmf5ebFeZJ16/lYy6V77UM5
     -----END RSA PRIVATE KEY-----
     `;
-const spEncyptionKey = `
+const spEncryptionKey = `
     -----BEGIN RSA PRIVATE KEY-----
     Proc-Type: 4,ENCRYPTED
     DEK-Info: DES-EDE3-CBC,860FDB9F3BE14699
@@ -698,7 +698,7 @@ describe("SAML SSO", async () => {
 						privateKey: idpPrivateKey,
 						privateKeyPass: "q9ALNhGT5EhfcRmp8Pg7e9zTQeP2x1bW",
 						isAssertionEncrypted: true,
-						encPrivateKey: idpEncyptionKey,
+						encPrivateKey: idpEncryptionKey,
 						encPrivateKeyPass: "g7hGcRmp8PxT5QeP2q9Ehf1bWe9zTALN",
 					},
 					spMetadata: {
@@ -707,7 +707,7 @@ describe("SAML SSO", async () => {
 						privateKey: spPrivateKey,
 						privateKeyPass: "VHOSp5RUiBcrsjrcAuXFwU1NKCkGA8px",
 						isAssertionEncrypted: true,
-						encPrivateKey: spEncyptionKey,
+						encPrivateKey: spEncryptionKey,
 						encPrivateKeyPass: "BXFNKpxrsjrCkGA8cAu5wUVHOSpci1RU",
 					},
 					identifierFormat:
@@ -754,7 +754,7 @@ describe("SAML SSO", async () => {
 						privateKey: idpPrivateKey,
 						privateKeyPass: "q9ALNhGT5EhfcRmp8Pg7e9zTQeP2x1bW",
 						isAssertionEncrypted: true,
-						encPrivateKey: idpEncyptionKey,
+						encPrivateKey: idpEncryptionKey,
 						encPrivateKeyPass: "g7hGcRmp8PxT5QeP2q9Ehf1bWe9zTALN",
 					},
 					spMetadata: {
@@ -763,7 +763,7 @@ describe("SAML SSO", async () => {
 						privateKey: spPrivateKey,
 						privateKeyPass: "VHOSp5RUiBcrsjrcAuXFwU1NKCkGA8px",
 						isAssertionEncrypted: true,
-						encPrivateKey: spEncyptionKey,
+						encPrivateKey: spEncryptionKey,
 						encPrivateKeyPass: "BXFNKpxrsjrCkGA8cAu5wUVHOSpci1RU",
 					},
 					identifierFormat:
@@ -782,6 +782,69 @@ describe("SAML SSO", async () => {
 		expect(spMetadataRes.status).toBe(200);
 		expect(spMetadataResResValue).toBe(spMetadata);
 	});
+	it("Should fetch sp metadata", async () => {
+		const headers = await getAuthHeaders();
+		await authClient.signIn.email(testUser, {
+			throw: true,
+			onSuccess: setCookieToHeader(headers),
+		});
+		const issuer = "http://localhost:8081";
+		const provider = await auth.api.registerSSOProvider({
+			body: {
+				providerId: "saml-provider-1",
+				issuer: issuer,
+				domain: issuer,
+				samlConfig: {
+					entryPoint: mockIdP.metadataUrl,
+					cert: certificate,
+					callbackUrl: `${issuer}/api/sso/saml2/sp/acs`,
+					wantAssertionsSigned: false,
+					signatureAlgorithm: "sha256",
+					digestAlgorithm: "sha256",
+					idpMetadata: {
+						metadata: idpMetadata,
+						privateKey: idpPrivateKey,
+						privateKeyPass: "q9ALNhGT5EhfcRmp8Pg7e9zTQeP2x1bW",
+						isAssertionEncrypted: true,
+						encPrivateKey: idpEncryptionKey,
+						encPrivateKeyPass: "g7hGcRmp8PxT5QeP2q9Ehf1bWe9zTALN",
+					},
+					spMetadata: {
+						binding: "post",
+						privateKey: spPrivateKey,
+						privateKeyPass: "VHOSp5RUiBcrsjrcAuXFwU1NKCkGA8px",
+						isAssertionEncrypted: true,
+						encPrivateKey: spEncryptionKey,
+						encPrivateKeyPass: "BXFNKpxrsjrCkGA8cAu5wUVHOSpci1RU",
+					},
+					identifierFormat:
+						"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
+				},
+			},
+			headers,
+		});
+
+		const spMetadataRes = await auth.api.spMetadata({
+			query: {
+				providerId: provider.providerId,
+			},
+		});
+		const spMetadataResResValue = await spMetadataRes.text();
+		expect(spMetadataRes.status).toBe(200);
+		expect(spMetadataResResValue).toBeDefined();
+		expect(spMetadataResResValue).toContain(
+			"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
+		);
+		expect(spMetadataResResValue).toContain(
+			"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST",
+		);
+		expect(spMetadataResResValue).toContain(
+			`<EntityDescriptor entityID="${issuer}"`,
+		);
+		expect(spMetadataResResValue).toContain(
+			`Location="${issuer}/api/sso/saml2/sp/acs"`,
+		);
+	});
 	it("should initiate SAML login and handle response", async () => {
 		const headers = await getAuthHeaders();
 		const res = await authClient.signIn.email(testUser, {
@@ -805,7 +868,7 @@ describe("SAML SSO", async () => {
 						privateKey: idpPrivateKey,
 						privateKeyPass: "q9ALNhGT5EhfcRmp8Pg7e9zTQeP2x1bW",
 						isAssertionEncrypted: true,
-						encPrivateKey: idpEncyptionKey,
+						encPrivateKey: idpEncryptionKey,
 						encPrivateKeyPass: "g7hGcRmp8PxT5QeP2q9Ehf1bWe9zTALN",
 					},
 					spMetadata: {
@@ -814,7 +877,7 @@ describe("SAML SSO", async () => {
 						privateKey: spPrivateKey,
 						privateKeyPass: "VHOSp5RUiBcrsjrcAuXFwU1NKCkGA8px",
 						isAssertionEncrypted: true,
-						encPrivateKey: spEncyptionKey,
+						encPrivateKey: spEncryptionKey,
 						encPrivateKeyPass: "BXFNKpxrsjrCkGA8cAu5wUVHOSpci1RU",
 					},
 					identifierFormat:
@@ -863,7 +926,7 @@ describe("SAML SSO", async () => {
 	});
 
 	it("should not allow creating a provider if limit is set to 0", async () => {
-		const { auth, signInWithTestUser } = await getTestInstanceMemory({
+		const { auth, signInWithTestUser } = await getTestInstance({
 			plugins: [sso({ providersLimit: 0 })],
 		});
 		const { headers } = await signInWithTestUser();
@@ -894,7 +957,7 @@ describe("SAML SSO", async () => {
 	});
 
 	it("should not allow creating a provider if limit is reached", async () => {
-		const { auth, signInWithTestUser } = await getTestInstanceMemory({
+		const { auth, signInWithTestUser } = await getTestInstance({
 			plugins: [sso({ providersLimit: 1 })],
 		});
 		const { headers } = await signInWithTestUser();
@@ -948,7 +1011,7 @@ describe("SAML SSO", async () => {
 	});
 
 	it("should not allow creating a provider if limit from function is reached", async () => {
-		const { auth, signInWithTestUser } = await getTestInstanceMemory({
+		const { auth, signInWithTestUser } = await getTestInstance({
 			plugins: [
 				sso({
 					providersLimit: async (user) => {
@@ -1006,4 +1069,53 @@ describe("SAML SSO", async () => {
 			},
 		});
 	});
+
+	it("should not allow creating a provider with duplicate providerId", async () => {
+		const headers = await getAuthHeaders();
+		await authClient.signIn.email(testUser, {
+			throw: true,
+			onSuccess: setCookieToHeader(headers),
+		});
+
+		await auth.api.registerSSOProvider({
+			body: {
+				providerId: "duplicate-provider",
+				issuer: "http://localhost:8081",
+				domain: "http://localhost:8081",
+				samlConfig: {
+					entryPoint: mockIdP.metadataUrl,
+					cert: certificate,
+					callbackUrl: "http://localhost:8081/api/sso/saml2/callback",
+					spMetadata: {
+						metadata: spMetadata,
+					},
+				},
+			},
+			headers,
+		});
+
+		await expect(
+			auth.api.registerSSOProvider({
+				body: {
+					providerId: "duplicate-provider",
+					issuer: "http://localhost:8082",
+					domain: "http://localhost:8082",
+					samlConfig: {
+						entryPoint: mockIdP.metadataUrl,
+						cert: certificate,
+						callbackUrl: "http://localhost:8082/api/sso/saml2/callback",
+						spMetadata: {
+							metadata: spMetadata,
+						},
+					},
+				},
+				headers,
+			}),
+		).rejects.toMatchObject({
+			status: "UNPROCESSABLE_ENTITY",
+			body: {
+				message: "SSO provider with this providerId already exists",
+			},
+		});
+	});
 });

package/src/types.ts

@@ -0,0 +1,208 @@
+import type { OAuth2Tokens, User } from "better-auth";
+
+export interface OIDCMapping {
+	id?: string | undefined;
+	email?: string | undefined;
+	emailVerified?: string | undefined;
+	name?: string | undefined;
+	image?: string | undefined;
+	extraFields?: Record<string, string> | undefined;
+}
+
+export interface SAMLMapping {
+	id?: string | undefined;
+	email?: string | undefined;
+	emailVerified?: string | undefined;
+	name?: string | undefined;
+	firstName?: string | undefined;
+	lastName?: string | undefined;
+	extraFields?: Record<string, string> | undefined;
+}
+
+export interface OIDCConfig {
+	issuer: string;
+	pkce: boolean;
+	clientId: string;
+	clientSecret: string;
+	authorizationEndpoint?: string | undefined;
+	discoveryEndpoint: string;
+	userInfoEndpoint?: string | undefined;
+	scopes?: string[] | undefined;
+	overrideUserInfo?: boolean | undefined;
+	tokenEndpoint?: string | undefined;
+	tokenEndpointAuthentication?:
+		| ("client_secret_post" | "client_secret_basic")
+		| undefined;
+	jwksEndpoint?: string | undefined;
+	mapping?: OIDCMapping | undefined;
+}
+
+export interface SAMLConfig {
+	issuer: string;
+	entryPoint: string;
+	cert: string;
+	callbackUrl: string;
+	audience?: string | undefined;
+	idpMetadata?:
+		| {
+				metadata?: string;
+				entityID?: string;
+				entityURL?: string;
+				redirectURL?: string;
+				cert?: string;
+				privateKey?: string;
+				privateKeyPass?: string;
+				isAssertionEncrypted?: boolean;
+				encPrivateKey?: string;
+				encPrivateKeyPass?: string;
+				singleSignOnService?: Array<{
+					Binding: string;
+					Location: string;
+				}>;
+		  }
+		| undefined;
+	spMetadata: {
+		metadata?: string | undefined;
+		entityID?: string | undefined;
+		binding?: string | undefined;
+		privateKey?: string | undefined;
+		privateKeyPass?: string | undefined;
+		isAssertionEncrypted?: boolean | undefined;
+		encPrivateKey?: string | undefined;
+		encPrivateKeyPass?: string | undefined;
+	};
+	wantAssertionsSigned?: boolean | undefined;
+	signatureAlgorithm?: string | undefined;
+	digestAlgorithm?: string | undefined;
+	identifierFormat?: string | undefined;
+	privateKey?: string | undefined;
+	decryptionPvk?: string | undefined;
+	additionalParams?: Record<string, any> | undefined;
+	mapping?: SAMLMapping | undefined;
+}
+
+export type SSOProvider = {
+	issuer: string;
+	oidcConfig?: OIDCConfig | undefined;
+	samlConfig?: SAMLConfig | undefined;
+	userId: string;
+	providerId: string;
+	organizationId?: string | undefined;
+	domain: string;
+};
+
+export interface SSOOptions {
+	/**
+	 * custom function to provision a user when they sign in with an SSO provider.
+	 */
+	provisionUser?:
+		| ((data: {
+				/**
+				 * The user object from the database
+				 */
+				user: User & Record<string, any>;
+				/**
+				 * The user info object from the provider
+				 */
+				userInfo: Record<string, any>;
+				/**
+				 * The OAuth2 tokens from the provider
+				 */
+				token?: OAuth2Tokens;
+				/**
+				 * The SSO provider
+				 */
+				provider: SSOProvider;
+		  }) => Promise<void>)
+		| undefined;
+	/**
+	 * Organization provisioning options
+	 */
+	organizationProvisioning?:
+		| {
+				disabled?: boolean;
+				defaultRole?: "member" | "admin";
+				getRole?: (data: {
+					/**
+					 * The user object from the database
+					 */
+					user: User & Record<string, any>;
+					/**
+					 * The user info object from the provider
+					 */
+					userInfo: Record<string, any>;
+					/**
+					 * The OAuth2 tokens from the provider
+					 */
+					token?: OAuth2Tokens;
+					/**
+					 * The SSO provider
+					 */
+					provider: SSOProvider;
+				}) => Promise<"member" | "admin">;
+		  }
+		| undefined;
+	/**
+	 * Default SSO provider configurations for testing.
+	 * These will take the precedence over the database providers.
+	 */
+	defaultSSO?:
+		| Array<{
+				/**
+				 * The domain to match for this default provider.
+				 * This is only used to match incoming requests to this default provider.
+				 */
+				domain: string;
+				/**
+				 * The provider ID to use
+				 */
+				providerId: string;
+				/**
+				 * SAML configuration
+				 */
+				samlConfig?: SAMLConfig;
+				/**
+				 * OIDC configuration
+				 */
+				oidcConfig?: OIDCConfig;
+		  }>
+		| undefined;
+	/**
+	 * Override user info with the provider info.
+	 * @default false
+	 */
+	defaultOverrideUserInfo?: boolean | undefined;
+	/**
+	 * Disable implicit sign up for new users. When set to true for the provider,
+	 * sign-in need to be called with with requestSignUp as true to create new users.
+	 */
+	disableImplicitSignUp?: boolean | undefined;
+	/**
+	 * Configure the maximum number of SSO providers a user can register.
+	 * You can also pass a function that returns a number.
+	 * Set to 0 to disable SSO provider registration.
+	 *
+	 * @example
+	 * ```ts
+	 * providersLimit: async (user) => {
+	 *   const plan = await getUserPlan(user);
+	 *   return plan.name === "pro" ? 10 : 1;
+	 * }
+	 * ```
+	 * @default 10
+	 */
+	providersLimit?:
+		| (number | ((user: User) => Promise<number> | number))
+		| undefined;
+	/**
+	 * Trust the email verified flag from the provider.
+	 *
+	 * ⚠️ Use this with caution — it can lead to account takeover if misused. Only enable it if users **cannot freely register new providers**. You can
+	 * prevent that by using `disabledPaths` or other safeguards to block provider registration from the client.
+	 *
+	 * If you want to allow account linking for specific trusted providers, enable the `accountLinking` option in your auth config and specify those
+	 * providers in the `trustedProviders` list.
+	 * @default false
+	 */
+	trustEmailVerified?: boolean | undefined;
+}

package/tsconfig.json

@@ -1,20 +1,11 @@
 {
+  "extends": "../../tsconfig.base.json",
   "compilerOptions": {
-    "esModuleInterop": true,
-    "skipLibCheck": true,
-    "target": "es2022",
-    "allowJs": true,
-    "resolveJsonModule": true,
-    "module": "ESNext",
-    "noEmit": true,
-    "moduleResolution": "Bundler",
-    "moduleDetection": "force",
-    "isolatedModules": true,
-    "verbatimModuleSyntax": true,
-    "strict": true,
-    "noImplicitOverride": true,
-    "noFallthroughCasesInSwitch": true
+    "lib": ["esnext", "dom", "dom.iterable"]
   },
-  "exclude": ["node_modules", "dist"],
-  "include": ["src"]
+  "references": [
+    {
+      "path": "../better-auth/tsconfig.json"
+    }
+  ]
 }

package/tsdown.config.ts

@@ -0,0 +1,8 @@
+import { defineConfig } from "tsdown";
+
+export default defineConfig({
+	dts: { build: true, incremental: true },
+	format: ["esm"],
+	entry: ["./src/index.ts", "./src/client.ts"],
+	external: ["better-auth", "better-call", "@better-fetch/fetch", "stripe"],
+});

package/build.config.ts

@@ -1,12 +0,0 @@
-import { defineBuildConfig } from "unbuild";
-
-export default defineBuildConfig({
-	declaration: true,
-	rollup: {
-		emitCJS: true,
-	},
-	outDir: "dist",
-	clean: false,
-	failOnWarn: false,
-	externals: ["better-auth", "better-call", "@better-fetch/fetch", "stripe"],
-});

package/dist/client.cjs

@@ -1,10 +0,0 @@
-'use strict';
-
-const ssoClient = () => {
-  return {
-    id: "sso-client",
-    $InferServerPlugin: {}
-  };
-};
-
-exports.ssoClient = ssoClient;

package/dist/client.d.cts

@@ -1,11 +0,0 @@
-import { sso } from './index.cjs';
-import 'better-call';
-import 'better-auth';
-import 'zod/v4';
-
-declare const ssoClient: () => {
-    id: "sso-client";
-    $InferServerPlugin: ReturnType<typeof sso>;
-};
-
-export { ssoClient };

package/dist/client.d.ts

@@ -1,11 +0,0 @@
-import { sso } from './index.js';
-import 'better-call';
-import 'better-auth';
-import 'zod/v4';
-
-declare const ssoClient: () => {
-    id: "sso-client";
-    $InferServerPlugin: ReturnType<typeof sso>;
-};
-
-export { ssoClient };